How to enable Kerberos authentication for remote EJB call on WebSphere?

Question

My application is a stand-alone Swing client invoking EJB Stateless Session beans thanks to classical JNDI lookup and RMI-IIOP method calls. It is started as a Java WebStart

Answer 1

According to the GSS-API/Kerberos v5 Authentication guide you must authenticate to Kerberos before making your call to the JNDI context. Once you have performed the Kerberos configuration you configure the intial context as follows:

• When creating the initial context, set the Context.SECURITY_AUTHENTICATION(in the API reference documentation) environment property to the string "GSSAPI".

I have dealt with getting a Java Client to use Kerberos in the past (although not with JNDI). Here is my approach to remove the need for JVM options and local configuration files on the client side (invoke this code before the client attempts to authenticate):

public static void initKerberosConfig() 
{                 
        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); 
        System.setProperty("java.security.krb5.kdc", "host.name:88"); 
        System.setProperty("java.security.krb5.realm", "REALM"); 
        System.setProperty("sun.security.krb5.debug", "false");                                 
        Configuration progConfig = getProgramaticLoginConfig(); 
        Configuration.setConfiguration(progConfig); 
} 

private static Configuration getProgramaticLoginConfig() 
{ 
        HashMap options = new HashMap(); 
        options.put("useTicketCache", "true"); 
        options.put("doNotPrompt", "true");                                                 
        AppConfigurationEntry krb5LoginModule = new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", LoginModuleControlFlag.REQUIRED, options); 
        final AppConfigurationEntry[] aces = new AppConfigurationEntry[]{krb5LoginModule}; 
        Configuration progConfig = new Configuration() 
        { 
                @Override 
                public AppConfigurationEntry[] getAppConfigurationEntry(String arg0) 
                {                                 
                        return aces; 
                } 

        }; 
        return progConfig; 
} 

You will probably need to tweak this for your context (java.security.krb5.kdc and java.security.krb5.realm will not be correct) - but I hope it helps. Turn sun.security.krb5.debug true for voluminous quantities of logging.